Attacks, Threats, and Vulnerabilities
Russian Hackers Continue With Attacks Despite Biden Warning (BloombergQuint) Russian Hackers Continue With Attacks Despite Biden Warning
Dozens of active Cozy Bear C2 servers for data-stealing malware identified (Computing) WellMess and WellMail malware strains have been used in espionage campaigns targeting Covid-19 research
RiskIQ Uncovers Infrastructure Patterns Leading to 35 Active Russian APT29, aka Cozy Bear, C2 Servers (GlobeNewswire News Room) RiskIQ, a leader in internet security intelligence, has uncovered more than 30 active command and…
Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers (RiskIQ) One year ago, amid a global pandemic, the UK, US, and Canadian governments issued a joint advisory detailing a Russian espionage campaign that targeted COVID-19 vaccine research efforts in their respective countries. They attributed the campaign to Russia’s APT29 (The Dukes, Yttrium, Cozy Bear) and explicitly identified the group as an extension of Russia’s Foreign Intelligence Services (SVR). They attributed the malware used in the campaign, known as WellMess and WellMail, with APT29, for the first time publicly.
Spyware features found in Chinese state benefits app (The Record by Recorded Future) Spyware-like features have been discovered inside an app named “Beijing One Pass” that foreign companies operating in China are forced to install on their systems in order to access a digital platform to manage employee state benefits.
Phantom Warships Are Courting Chaos in Conflict Zones (Wired) The latest weapons in the global information war are fake vessels behaving badly.
South Africa’s Transnet restores operations at ports after cyber attack (Reuters) South African state logistics firm Transnet has fully restored operations at ports following a cyber attack that forced the firm to declare force majeure at its container terminals, the Ministry of Public Enterprises said.
Hackers used never-before-seen wiper in recent attack on Iranian train system (ZDNet) SentinelOne analysts were able to recreate the July 9 attack and identify the threat actor behind it.
Leaked Documents Reveal Iran’s Contingency Plans for Sinking Cargo Ships, Attacking Fuel Infrastructure With Cyber Attacks (CPO Magazine) A set of documents obtained by Sky News, allegedly obtained from the Iranian cyber command, details plans by Iran to do advanced real-world damage with cyber attacks.
Leaked Iranian intel sheds light on proxy war with Israel (Haaretz) Sky News obtained five top secret reports by Iranian Revolutionary Guards intel unit potentially revealing plans by Iran to use possible cyberattacks to target ships. However, sources say it may be more defensive than offensive
Hacker downloads close to 300,000 personal ID photos (ERR) A hacker was able to obtain over 280,000 personal identity photos following an attack on the state information system last Friday. The suspect is reportedly a resident of Tallinn.
Estonia says a hacker downloaded 286,000 ID photos from government database (The Record by Recorded Future) Estonian officials said they arrested last week a local suspect who used a vulnerability to gain access to a government database and download government ID photos for 286,438 Estonians.
Northern Ireland suspends vaccine passport system after data leak (BleepingComputer) Northern Ireland’s Department of Health (DoH) has temporarily halted its COVID-19 vaccine certification web service and mobile apps following a data exposure incident.
Crimea “manifesto” deploys VBA Rat using double attack vectors (Malwarebytes Labs) A Crimean “manifesto” hides an attack that infects victims with a VBA Rat, which we also found being deployed through a separate exploit.
ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign (Menlo Security) Data breaches, malware, ransomware, phishing, and DDoS attacks are all on the rise. And now another type of attack is quickly emerging—HTML SmugglingTitle: ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
Python packages caught attempting to steal Discord tokens, credit card numbers (The Record by Recorded Future) The operators of the Python Package Index (PyPI), the official repository for Python components, have removed eight libraries this week that contained malicious code.
DoppelPaymer ransomware gang rebrands as the Grief group (BleepingComputer) After a period of little to no activity, the DoppelPaymer ransomware operation has made a rebranding move, now going by the name Grief (a.k.a. Pay or Grief).
Threat Thursday: Hancitor Malware (BlackBerry) Hancitor (AKA Chanitor) malware is a master of disguise. A Hancitor attack initially begins with a malspam email that directs the victim to a webpage serving a fake document. Recently, Hancitor has posed as email from the popular document signing utility DocuSign®.
How Low-level Hackers Access High-end Malware (SecurityWeek) The proliferation of pirated hacking tools and underground forums is allowing previously low-level actors to pose serious risks to enterprise security
E-mails claiming your computer was hacked and your privacy exposed – what you need to know (spoiler: you can relax – they’re bluffing) (Bitdefender) In the past two weeks, Bitdefender Antispam Lab has been tracking a couple of
extensive extortion campaigns leveraging user credentials exposed in data
breaches and leaks in recent years.
The attacks spread across the globe, with unusually high numbers of spam emails
reaching users in Romania (over 400,000 emails), Italy and the Netherlands. The
messages originate from multiple IP addresses in Europe, Asia, Africa and the
Americas. It seems they’ve been distributed en masse via a large spam bot
Microsoft researcher found Apple 0-day in March, didn’t report it (Naked Security) Ut tensio, sic uis! Does twice the bug pile on twice the pressure to fix it?
Python developers are being targeted with malicious packages on PyPI (JFrog) JFrog finds a new supply chain attack targeting python developers using the PyPI repository
Serious Vulnerabilities Found in Firmware Used by Many IP Camera Vendors (SecurityWeek) IP cameras from a dozen vendors are exposed to remote attacks due to serious vulnerabilities found in the firmware they all use.
Cyber experts warn of ransomware risks during the Tokyo Olympics (PropertyCasualty360) Should the Summer Games face a cyberattack, the losses would be significant.
Akamai outage is latest warning about Internet dependency (Urgent Communications) Dangerous things, software updates. Push the wrong button and they can be as devastating as any Chinese cyberattack, plunging parts of the Internet into darkness.
MassHealth Members Impacted by Health Data Breach (Health IT Security) A third-party vendor’s data breach is impacting over 2,000 MassHealth patients’ PHI.
Entertainment tech provider D-Box recovering from ransomware attack (The Daily Swig) Cyber-attack ‘limited to internal…